VDB

CVE-2023-22946

CVE-2023-22946 PUBLISHED

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.

EPSS 0.44% · 63.5th percentile

Risk Scores

EPSS Score
0.44%
63.5th percentile

Affected Products

VendorProductVersions
Bitnamispark0
Bitnamispark0

Exploit Intelligence

…and 12 more exploits

Timeline

  • Apr 17, 2023 CVE Published
  • Apr 17, 2023 EPSS Score
  • May 25, 2023 EPSS Score
  • Jul 1, 2023 EPSS Score
  • Aug 8, 2023 EPSS Score
  • Sep 14, 2023 EPSS Score
  • Oct 22, 2023 EPSS Score
  • Nov 28, 2023 EPSS Score
  • Jan 5, 2024 EPSS Score
  • Mar 20, 2024 EPSS Score
  • Apr 27, 2024 EPSS Score
  • Jun 3, 2024 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›